Windows security event logging
- KS
Windows Audit Logging
Accenture MxDR collects the contents of the Windows Audit Log for each of the Windows devices that you have enrolled with the service. All of the logs that are collected are archived within the MxDR platform for 12 months and some of them are used for security incident generation.
This document explains the minimum level of Windows logging that MxDR requires for effective incident generation to allow you to configure an appropriate audit policy on your enrolled Windows devices.
Basic and Advanced Audit Policy
In Windows versions after Vista/2008 you have the choice of applying a Basic Audit Policy or an Advanced Audit Policy.
Using a Basic Audit Policy you can enable or disable logging for nine high level categories of activity. With an Advanced Audit Policy each category is further broken into subcategories, which can each have logging enabled or disabled individually, allowing more control of what is logged.
For example, in the Basic Audit Policy you can enable logging for the category Account Logon. In an Advanced Audit Policy you can choose to enable logging individually for the following subcategories within Account Logon
Credential Validation
Kerberos Authentication Service
Kerberos Service Ticket Operations
Other Account Logon Events
Windows Security Events
Each subcategory will enable or disable logging for multiple Windows Security Events. For example, enabling auditing for the Logon subcategory causes the following Windows Security Events to be recorded
4624(S): An account was successfully logged on.
4625(F): An account failed to log on.
4648(S): A logon was attempted using explicit credentials.
4675(S): SIDs were filtered.
Log Volumes
Enabling logging for some audit categories or subcategories may generate a substantial number of logs, potentially more than can be effectively processed by your logging architecture. Therefore we have identified the subcategories that are most valuable for incident generation and request that you enable these as a minimum."
Valuable subcategories for Incident Generation
For incident generation, MxDR recommends enabling logging both success and failures for the following subcategories.
Category | Subcategory | Volume (per Microsoft) | MITRE ATT&CK |
Account Logon | Credential Validation | High (DCs), Low (others) | TA0001 – Initial Access TA0002 - Execution TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0007 – Discovery T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1087 – Account Discovery T1114 – Email Collection T1550 – Use Alternate Authentication Material |
Kerberos Authentication Service | High (Kerberos KDCs) | TA0001 – Initial Access TA0006 – Credential Access TA0004 – Privilege Escalation T1110 – Brute Force T1187 – Forced Authentication T1212 – Exploitation for Credential Access | |
Kerberos Service Ticket Operations | Very High (Kerberos KDCs) | TA0006 – Credential Access T1550 - Use Alternate Authentication Material T1558 – Steal or Forge Kerberos Tickets | |
Account Management | Computer Account Management | Low | TA0004 – Privilege Escalation TA0006 – Credential Access T1068 - Exploitation for Privilege Escalation T1207 – Rogue Domain Controller |
Other Account Management Events | Low | TA0003 – Persistence TA0004 – Privilege Escalation T1036 - Masquerading T1078 - Valid Accounts T1550 - Use Alternate Authentication Material | |
Security Group Management | Low | TA0003 – Persistence TA0002 – Execution TA0004 – Privilege Escalation TA0005 – Defense Evasion T1027 - Obfuscated Files or Information T1036 - Masquerading T1053 – Scheduled Task/Job T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1098 – Account Manipulation | |
User Account Management | Low | TA0003 – Persistence TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0006 – Credential Access T1036 - Masquerading T1098 – Account Manipulation T1134 - Access Token Manipulation T1136 - Create Account T1212 – Exploitation for Credential Access T1562 - Impair Defenses | |
Detailed Tracking | DPAPI Activity | Low | TA0006 – Credential Access T1003 – OS Credential Dumping |
PNP Activity | Typically Low | TA0008 – Lateral Movement T1569 – System Services | |
Process Creation | Medium or High | TA0002 – Execution TA0003 – Persistence TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0006 – Credential Access TA0007 – Discovery TA0008 – Lateral Movement | |
Process Termination | Low or Medium | TA0007 – Discovery T1016 - System Network Configuration Discovery T1018 – Remote System Discovery T1482 – Domain Trust Discovery | |
DS Access | Directory Service Access | High (AD Domain Services) | TA0003 - Persistence TA0004 – Privilege Escalation TA0006 – Credential Access TA0007 – Discovery T1003 – OS Credential Dumping T1069 – Permission Groups Discovery T1087 – Account Discovery T1222 – File and Directory Permissions Modification T1546 – Event Triggered Execution |
Directory Service Changes | Medium (DCs) | TA0003 – Persistence TA0011 – Command and Control T1001 – Data Obfuscation T1098 – Account Manipulation T1207 – Rogue Domain Controller | |
Logon/Logoff | Account Lockout | Low | T1110 – Brute Force |
Group Membership | Medium (DCs), Low (others) | TA0003 – Persistence TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0006 – Credential Access T1036 - Masquerading T1098 – Account Manipulation T1134 - Access Token Manipulation T1212 – Exploitation for Credential Access | |
Logoff | High | TA0001 – Initial Access TA0004 – Privilege Escalation TA0008 – Lateral Movement T1078 - Valid Accounts T1110 – Brute Force | |
Logon | Medium (DCs), Low (others) | TA0001 – Initial Access TA0002 – Execution TA0003 – Persistence TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0006 – Credential Access TA0007 – Discovery TA0008 – Lateral Movement T1021 – Remote Services T1047 – Windows Management Instrumentation T1059 – Command and Scripting Interpreter T1078 – Valid Accounts T1187 – Forced Authentication T1110 – Brute Force T1114 – Email Collection T1133 – External Remote Services T1190 – Exploit Public Facing Application T1210 – Exploitation of Remote Services T1546 – Event Triggered Execution T1550 – Use Alternate Authentication Material | |
Other Login/Logoff Events | Low | TA0008 – Lateral Movement T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1558 – Steal or Forge Kerberos Tickets | |
Special Logon | Medium (DCs), Low (others) | TA0004 – Privilege Escalation TA0008 – Lateral Movement T1078 - Valid Accounts | |
Object Access | Certification Services | Medium or Low (AD Cert Services servers) | TA0004 – Privilege Escalation TA0006 – Credential Access |
Detailed File Share | High (File Servers & DCs) Low (others) | TA0002 – Execution TA0003 - Persistence TA0005 – Defense Evasion TA0006 – Credential Access TA0007 – Discovery TA0008 – Lateral Movement TA0009 – Collection T1003 – OS Credential Dumping T1012 – Query Registry T1021 – Remote Services T1039 – Data from Network Shared Drive T1053 – Scheduled Task/Job T1112 – Modify Registry T1187 – Forced Authentication T1212 – Exploitation for Credential Access T1547 – Boot or Logon Autostart Execution T1552 – Unsecured Credentials T1569 – System Services | |
File Share | High (File Servers & DCs) Low (others) | TA0008 – Lateral Movement T1021 – Remote Services | |
Filtering Platform Connection | High | TA0005 – Defense Evasion TA0007 – Discovery TA0008 – Lateral Movement TA0010 - Exfiltration TA0011 – Command and Control T1021 – Remote Services T1059 – Command and Scripting Interpreter T1087 – Account Discovery T1090 - Proxy T1558 – Steal or Forge Kerberos Tickets | |
Filtering Platform Packet Drop | High | ||
Other Object Access Events | Low | TA0002 – Execution TA0003 - Persistence TA0004 – Privilege Escalation TA0005 – Defense Evasion T1053 – Scheduled Task/Job T1112 – Modify Registry T1543 – Create or Modify System Process | |
Registry | Medium or Low | TA0001 – Initial Access TA0005 – Defense Evasion TA0006 – Credential Access TA0007 – Discovery TA0008 – Lateral Movement TA0009 - Collection TA0040 - Impact T1003 - OS Credential Dumping T1110 – Brute Force T1012 – Query Registry T1021 – Remote Services T1027 - Obfuscated Files or Information T1112 – Modify Registry T1123 – Audio Capture T1485 – Data Destruction T1486 – Data Encrypted for Impact T1487 – Disc Structure Wipe T1552 – Unsecured Credentials T1553 – Subvert Trust Controls T1562 – Impair Defenses | |
Removable Storage | Not Listed | TA0001 – Initial Access T1025 – Data from Removable Media T1052 – Exfiltration Over Physical Medium T1091 – Replication Through Removable Media | |
Policy Change | Audit Policy Change | Low | TA0005 – Defense Evasion TA0006 – Credential Access T1003 - OS Credential Dumping T1562 – Impair Defenses |
Authentication Policy Change | Low | TA0006 – Credential Access T1098 – Account Manipulation | |
Filtering Platform Policy Change | Not Listed | TA0005 – Defense Evasion T1562 – Impair Defenses | |
Privilege Use | Sensitive Privilege Use | High | TA0002 – Execution TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0008 – Lateral Movement T1021 – Remote Services T1059 - Command and Scripting Interpreter 1548 - Abuse Elevation Control Mechanism 1558 - Abuse Elevation Control Mechanism T1562 – Impair Defenses |
System | Other System Events | Low | TA0008 – Lateral Movement T1021 – Remote Services |
Security System Extension | Low | TA0002 – Execution TA0003 - Persistence TA0004 – Privilege Escalation TA0005 – Defense Evasion TA0006 – Credential Access TA0008 – Lateral Movement TA0010 – Exfiltration T1003 - OS Credential Dumping T1021 – Remote Services T1027 - Obfuscated Files or Information T1048 - Exfiltration Over Alternative Protocol T1059 – Command and Scripting Interpreter T1134 - Access Token Manipulation T1543 - Create or Modify System Process T1554 - Compromise Client Software Binary T1569 - System Services T1570 - Lateral Tool Transfer | |
System Integrity | Low | TA0005 – Defense Evasion T1027 - Obfuscated Files or Information |
Command Line Process Auditing
Enabling the “Process Creation” subcategory causes the creation of new processes to be logged to the audit log. The information available in this log can be significantly enhanced by enabling Command Line Auditing so that the command/filename that caused the new process to be created is captured.
To enable this :
Ensure that Audit Process Creation is enabled in the Advanced Audit Policy
Edit the group policy “Computer Configuration > Administrative Templates > System > Audit Process Creation” to enable “Include command line in process creation event”
Security Event ID 4688 should now include the process command line
Windows Powershell Logging
Windows Powershell Logging provides important information about suspicious or malicious Powershell commands. Logging for Powershell is not configured via the Audit Policy but via a separate group policy for Powershell.
To enable this:
Edit the group policy “Administrative Templates > Windows Components > Windows Powershell” to enable the following settings
Setting | What it records | Volume | Reason for logging |
Module Logging | Pipeline execution | Very High | TA0002 – Execution |
Script Block Logging | All code blocks executed | Medium |
Audit logs for archiving
In addition to the audit subcategories considered most valuable for incident generation, there are other subcategories you may wish to send to MxDR to store and include in incidents.
Please review your own audit/compliance requirements and information from Microsoft below about the available audit information and enable logging for the subcategories you think are appropriate.
Further Information
Advanced Security Audit Policies
Advanced Security Audit Policy Settings
Detailed information about defining an Audit Policy
Command Line Process Auditing
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.